Cybersecurity Resources
Policies
These resources are mandatory for anyone that works with DjaoDjin to read or watch.
- Regularly conduct audits of end-users, roles and associated permissions
- Enforce MFA whenver possible. Prefer OTP when available.
- Enforce strong password policies
See detailed Operational Guidelines.
Courses
For non-technical employees and contractors, Cyber Security Awareness Training for Employees is a good course.
The following are in-depth courses about specific cybersecurity topics. If you work for DjaoDjin and the materials are not freely accessible, please bring it to the attention of you manager. There is always a budget for education around cybersecurity topics.
Application-specific
If you are an Application developper at DjaoDjin, or are responsible in general to build business logic applications, you will want to read the following security-focused articles.
-
Best practices for microservices security
- Apply a number of different layers of security
- Use security scanners for your containers
- Use an API gateway
- Use OAuth for user identity and access control
- Don’t write your own crypto code
More to read: 8 best practices for microservices security
- Cloud storage security: What’s new in the threat matrix
- Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
- Choosing an SSO Strategy: SAML vs OAuth2
- Client-side business logic
-
- Broken Authentication and Session Management – part Ⅰ
- User Authentication and Access Control in a Web Application
- Understanding the CSRF(Cross-site request forgery) Vulnerability
-
How to Persist JWT Tokens for Your SaaS Application
- How about limiting the expiration of JWT tokens? Setting the expiry to 5 minutes? Well, it solves a part of the problem but still leaves you exposed.
- How about saving the token in memory? While this does solve the security problem, it breaks usability as we cannot handle scenarios such as page refresh / new tab.
- Maybe saving the JWT token as an HTTP-only cookie? That totally works but exposes us to CSRF attacks without any additional CSRF protection.
Persisting Through Refresh Tokens and HTTP-Only Cookies: Using this approach we can store the JSON Web Tokens in-memory while saving the refresh tokens using http-only cookies. The refresh tokens are not vulnerable to CSRF attacks on form submits because the attacker cannot get the value of the JWT which was returned from the endpoint.
- JSON Web Token Best Current Practices
- Web Based Session Management: Best practices in managing HTTP-based client sessions
- Best practices for REST API security: Authentication and authorization
Operation-specific
If you are an Operations engineer at DjaoDjin, or are responsible in general to make sure machines are up and running, you will want to read the following security-focused articles.
On a Website, nefarious automation typically include:
- content scraping
- credential stuffing
- application DDoS
- web form abuse
- token guessing
Types of behavioral patterns that can be linked to an IP address can include (but are not limited to):
- Total number of requests
- Total number of pages visited
- The time between page views
- The sequence in which pages are visited
- Types of resources loaded on pages
References
A bit dry sometimes, yet great entry points for in-depth understanding of a topic.
- Computer Security Resource Center
- Security Focus
- Exploit Db
- Full Disclosure
- Security Bloggers Network
- Forums for discussing modern cryptographic practice
- Content Security Policy Reference
- Google Infrastructure Security Design Overview
- Measuring what matters in cybersecurity
- NIST SP 800-82 Rev. 3 Guide to Operational Technology (OT) Security
- EnGarde Linux
News site and RSS Feeds
Publication with Cybersecurity focused news
Timely articles
Random news and opinions around the Web worth reading.
- Passports Were a “Temporary” War Measure
- Apple’s Fingerprint ID May Mean You Can't "Take the Fifth"
- Amazon.com - Employee Access Challenge
- The Wrong War: The Insistence on Applying Cold War Metaphors to Cybersecurity Is Misplaced and Counterproductive
- TWO-FACTOR AUTHENTICATION IS A MESS
- Future of SSL in doubt?
- BlackHat USA 2011: SSL And The Future Of Authenticity
- Abusing CSS Selectors to Perform UI Redressing Attacks
- The Unpatchable Malware That Infects USBs Is Now on the Loose
- Driving Robocallers Crazy With the Jolly Roger Bot
- How to Crash Systemd in One Tweet
- The Web Authentication Arms Race – A Tale of Two Security Experts
- The Web never forgets: Persistent tracking mechanisms in the wild
- The Internet: Anonymous forever
- Why "security" keeps winning out over privacy?
- Am I Unique?
- How Private DNA Data Led Idaho Cops on a Wild Goose Chase and Linked an Innocent Man to a 20-year-old Murder Case
- How is NSA breaking so much crypto?
- NSA-proof your email in 2 hours
- a scheme to thwart government surveillance of sensitive online payments
- A children's guide to the NSA (and a fairy tale for the rest of us)
- Why ‘I Have Nothing to Hide’ Is the Wrong Way to Think About Surveillance
- RSA Animate: The Truth About Dishonesty
- yURLs
- Spying on the homefront
- Awesome-ml-for-cybersecurity
- How to Leverage the Shared Responsibility Model During Your Security Audit
- Balancing frontend security and performance with HTTP Strict Transport Security
- IBM Differential Privacy Library: The single line of code that can protect your data
- About OpenPMF - Security policy management through automation.
- Container monitoring using Splunk
- Pentest lab - Metasploitable 2